Set up a mutual TLS Gateway

This tutorial shows how to set up a mutual TLS Gateway and configure authentication based on certificate details.

Prerequisites

Before you start, Set up a custom-domain and prepare a certificate to expose a workload.

Steps

  1. Export the following values as environment variables:

    Click to copy
    export DOMAIN_TO_EXPOSE_WORKLOADS={DOMAIN_NAME}

    NOTE: DOMAIN_NAME is the domain that you own, for example, api.mydomain.com

  2. Create a Namespace and export its value as an environment variable. Run:

    NOTE: Skip this step if you already have a Namespace

    Click to copy
    export NAMESPACE={NAMESPACE_NAME}
    kubectl create ns $NAMESPACE
    kubectl label namespace $NAMESPACE istio-injection=enabled --overwrite

  3. Export Gateway name, TLS secret name, and client root Certificate Authority (CA) crt file path:

    Click to copy
    export MTLS_GATEWAY_NAME=mtls-gateway
    export TLS_SECRET={TLS_SECRET_NAME} # The name of the TLS Secret that was created during the setup of the custom domain, for example, httpbin-tls-credentials
    export CLIENT_ROOT_CA_CRT_FILE={CLIENT_ROOT_CA_CRT_FILE}

  4. Create mTLS Gateway (mode: MUTUAL):

    Click to copy
    cat <<EOF | kubectl apply -f -
    ---
    apiVersion: networking.istio.io/v1beta1
    kind: Gateway
    metadata:
      name: ${MTLS_GATEWAY_NAME}
      namespace: ${NAMESPACE}
    spec:
      selector:
        istio: ingressgateway
        app: istio-ingressgateway
      servers:
        - port:
            number: 443
            name: https
            protocol: HTTPS
          tls:
            mode: MUTUAL
            credentialName: ${TLS_SECRET}
            minProtocolVersion: TLSV1_2
            cipherSuites:
            - ECDHE-RSA-CHACHA20-POLY1305
            - ECDHE-RSA-AES256-GCM-SHA384
            - ECDHE-RSA-AES256-SHA
            - ECDHE-RSA-AES128-GCM-SHA256
            - ECDHE-RSA-AES128-SHA
          hosts:
            - '*.${DOMAIN_TO_EXPOSE_WORKLOADS}'
        - port:
            number: 80
            name: http
            protocol: HTTP
          tls:
            httpsRedirect: true
          hosts:
            - '*.${DOMAIN_TO_EXPOSE_WORKLOADS}'
    EOF

  5. Add client root CA to CA cert bundle secret for mTLS Gateway. Export the following value as an environment variable and run the command:

    Click to copy
    # Add CA Cert to kyma-mtls-gateway
    export CLIENT_ROOT_CA_CRT_ENCODED=$(cat ${CLIENT_ROOT_CA_CRT_FILE}| base64)
    cat <<EOF | kubectl apply -f -
    ---
    apiVersion: v1
    kind: Secret
    metadata:
      name: ${TLS_SECRET}-cacert
      namespace: istio-system
    type: Opaque
    data:
      cacert: ${CLIENT_ROOT_CA_CRT_ENCODED}
    EOF